Eurojust, the European Union Agency responsible for facilitating judicial cooperation in criminal matters, has seen its operational powers significantly strengthened following the invasion of Ukraine. Its mandate was amended by Regulation (EU) 2022/838 to entrust it with new responsibilities for the preservation, analysis and storage of evidence relating to genocide, crimes against humanity, war crimes and related criminal offences (hereafter “core international crimes”). This evolution reflect two broader trends: on the one hand, the escalation of conflicts and grave human rights violations in the EU’s neighbourhood, with the EU emerging as a key actor in advancing accountability efforts; and on the other hand, the rapid digitalisation of evidence, which is reshaping the judicial cooperation landscape.
Against this background, this blogpost examines Eurojust’s expanded operational capacities since 2022, focusing in particular on the establishment of the Core international Crime Evidence Database (CICED). It explores how this new tool positions the Agency as a key intermediary between the national authorities of Member States and third countries, as well as international jurisdictions, in facilitating the sharing of evidence of core international crimes. It also considers the challenges arising from this development, especially in terms of data protection.
1. Eurojust’s enhanced operational role in core international crimes investigations
Core international crimes have formally fallen within Eurojust’s mandate since the adoption of Regulation (EU) 2018/1727, with the Agency already developing expertise in this field prior to 2022 in the context of the conflict in Syria and Iraq.
The outbreak of the war in Ukraine, however, marks a turning point. Often described as the most extensively documented conflict, it has triggered an unprecedented mobilisation of actors, with investigations opened in several EU Member States, third countries, and by the Prosecutor of the International Criminal Court (ICC). In this context, Eurojust’s operational support for investigations into core international crimes has both intensified and gained in visibility. This is reflected in the rapid deployment of existing cooperation tools, as exemplified by its support to the Joint Investigations Team (JIT) on alleged crimes committed in Ukraine, the largest ever established and the first to involve the Office of the ICC Prosecutor. These developments have been accompanied by new operational powers, culminating in the creation of a dedicated database within Eurojust: the Core international Crime Evidence Database (CICED). This latter development is particularly significant as it signals an expanded role for the Agency in facilitating the
handling and sharing of highly sensitive information intended for use in national and international proceedings.
1.1. The steps towards the creation of the CICED
In response to the operational challenges arising from the Ukrainian conflict, the CICED was established within Eurojust and became operational in 2023. This initiative stems from the extension of Eurojust’s mandate in May 2022 through Regulation (EU) 2022/838 of 30 May 2022, adopted less than a month after the proposal was introduced. More specifically, it results from an amendment to Article 4(1) of Eurojust Regulation, introducing a new point (j). This amendment empowers Eurojust to preserve, analyse and store evidence relating to genocide, crimes against humanity, war crimes and related criminal offences, and to share with, or make such evidence directly available to, competent national authorities and international judicial authorities, in particular the ICC. In addition, amendments to Annex II further allow the Agency to process additional categories of data, including DNA, photographs, fingerprints as well as audio recordings, videos and satellite images where they relate to such crimes.
As noted in the Commission proposal, the establishment of a new automated storage facility within Eurojust was considered necessary to enable the secure storage of evidence of core international crimes, thereby preventing its loss in territories where hostilities are ongoing. The proposal further emphasised the limitations of Eurojust’s existing ‘Case Management System’ (CMS) which lacked the capacity to centralise such evidence in a sufficiently secure and effective manner. This led to the establishment of the CICED as a separate, permanent database operating outside Eurojust’s CMS. Although Article 23(6) of the Eurojust Regulation formally prohibits such a solution, this derogation is intended to remain temporary, pending the establishment of a new CMS.
Importantly, the CICED is intended to support investigations into core international crimes without geographical limitation, and may therefore assist inquiries beyond the context of the conflict in Ukraine. Its effectiveness largely depends on contributions submitted, on a voluntary basis, by national authorities designated as competent to provide such data, namely authorities from EU Member States and third countries represented at Eurojust by Liaison Prosecutors. At present, twelve such Liaison Prosecutors are posted to Eurojust, including one from Ukraine.
1.2. A significant addition to Eurojust’s operational toolbox
The CICED is the first database established within the Agency to centralise evidence, with a view to facilitating its transmission to the competent authorities of Member States, third States and international jurisdictions. While Eurojust has developed experience in supporting the exchange of evidence in complex, large-scale investigations, particularly in the context of JITs as well as in relation to “battlefield evidence”, no dedicated infrastructure of this kind previously existed. By centralising evidence relating to core international crimes within a single repository, the CICED strengthens Eurojust’s position as a central information hub in the fight against impunity for such crimes.
The CICED also constitutes a further step in the digitalisation of Eurojust’s operational activities. As part of the European Commission’s 2021 digitalisation of justice package, reforms have been introduced, inter alia, to enhance the efficiency of the Eurojust judicial counter-terrorism register and strengthen its ability to identify links between parallel cross-border investigations and prosecutions regarding terrorist offences.
By contrast, the CICED goes beyond this function by offering capabilities that surpasses the mere identification of links between submitted materials. Presented as a “unique tailor-made judicial database”, it enables advanced analytical functions that support investigations into core international crimes in multiple ways. These include maintaining a complete overview of collected evidence; conducting targeted searches related to specific events or locations; and identifying evidentiary gaps and parallel investigations, as well as advising on prosecution strategies.
2. Still a facilitator, yet emerging as a crucial judicial hub
The conferral of new competences on Eurojust in relation to evidence of core international crimes under Regulation (EU) 2022/838 of 30 May 2022, does not alter its core supporting function as defined in Article 85 TFEU.
The tasks linked to the CICED are explicitly framed as supporting Member States’ action in combating core international crimes. Eurojust is not granted direct investigative powers, and reference to the “collection” of evidence that had appeared in earlier drafts was ultimately removed from the final text. Moreover, the Regulation does not impose any obligation to share evidence with Eurojust, meaning that contributions to the CICED remains voluntary, unlike the mandatory information-sharing regime applicable to terrorist offences.
Still, while Eurojust remains a facilitator of horizontal cooperation, it is increasingly assuming a prominent role in enabling vertical, cross-level interactions between national authorities, including those of third States, and international organisations, in particular the ICC. Through the CICED, Eurojust may receive, process and analyse materials submitted by national authorities of EU Member States and by those of third States with a Liaison Prosecutors, and make it available for use in both national and international criminal proceedings. In the words of Eurojust’s former President, Ladislav Hamran, the Agency is expected to act as a ‘bridge’ between domestic and international investigations. In fact, this evolution is not driven solely by efforts to address core international crimes in Ukraine. Parallel developments in counter-terrorism, particularly concerning foreign terrorist fighters, have further reinforced Eurojust’s role in cases of an international dimension. In this vein, a 2023 amendment to the Eurojust regulation clarified that Eurojust may assist not only in cases involving a Member State and a third State, but also in cases that affect a Member State and an international organisation.
Additionally, Eurojust’s role as a key intermediary between national authorities of Member States, those of third States and international organisations, is also evident in
other areas of its activities. This is particularly illustrated by its function as a contact point for requests from third countries and international organisations seeking access to data in the European Criminal Records System for Third Country Nationals (ECRIS-TCN). This function highlights its growing role as a gateway, enabling external partners to access, upon request, sensitive information held within the EU. This trend is even more pronounced in the context of the CICED, where Eurojust facilitates access to evidence originating not only from Member States, but also from third States represented by Liaison prosecutors. Moreover, the data involved are more sensitive: unlike ECRIS-TCN, which contains information on individuals convicted within the EU, the CICED centralises evidentiary material gathered at the pre-trial stage, including outside the EU.
3. Recent developments calling for closer scrutiny as regards personal data protection
As Eurojust is now tasked with centralising and facilitating access to sensitive data intended to serve as criminal evidence, the question of whether this role is accompanied by adequate safeguards is crucial. Although a comprehensive assessment remains premature at this early stage of the CICED’s operation, personal data protection already emerges as a pressing concern.
3.1 Data protection regime applicable to the CICED
Eurojust must ensure respect for the protection of personal data as guaranteed under Article 7 of the Charter, and relevant EU secondary rules. Since 2019, it operates within a framework aligned with EU general data protection standards, notably Regulation 2018/1725 (EUDPR) as lex generalis, and Regulation 2018/1727 as lex specialis. In this respect, Article 80 of the Eurojust Regulation, as amended in 2022, clarifies that data processing activities within the CICED remain subject to the safeguards laid down in both instruments. This clarification is significant as the creation of the CICED constitutes a derogation from Article 23(6) the Eurojust Regulation, which in principle prohibits the processing of personal data outside Eurojust’s CMS. It confirms that, notwithstanding its derogatory nature, the database remains fully subject to applicable data protection standards.
The operation of the CICED is also subject to supervision of the European Data Protection Supervisor (EDPS), which oversees Eurojust’s compliance with both Regulations 2018/1725 and 2018/1727. The EDPS was consulted at the stage of the Commission proposal amending the Eurojust Regulation with regard to the collection, preservation and analysis of evidence relating to core international crimes. In its Opinion 6/2022 of May 2022, it accepted the possibility for Eurojust to process personal data within the CICED by way of derogation, especially in light of the technical obsolescence of the current CMS. Its recommendations were ultimately reflected in Regulation (EU) 2022/838, including a more restrictive formulation of Article 4(1)(j), explicit references to relevant provisions of Regulation 2018/1725, and clarification that data retention periods applicable to the CICED align with those set out in Article 29 of the Eurojust Regulation.
3.2. Standards of data protection: reliance on external sources and recipients
According to publicly available figures, by 24 February 2025, more than 3 700 evidence files have been submitted to the CICED by 16 countries. As noted above, these materials may originate from third countries with a Liaison Prosecutor at Eurojust. Moreover, Eurojust may be empowered to share these materials with a wider spectrum of non-EU actors, i.e. national authorities from third countries, regardless of whether they have a Liaison Prosecutor, and international judicial authorities. Both scenarios raise data protection concerns.
At the submission phase, Eurojust may process personal data provided from third country authorities pursuant to Article 47 of Regulation (EU) 2018/1727. Third country Liaison Prosecutors are external partners with whom Eurojust maintains an advanced form of cooperation, including the exchange of personal data. Exchange of personal data with third country Liaison Prosecutors is contingent upon the prior conclusion of agreements, under which both parties commit to ensuring an adequate level of data protection. However, most of these agreements, including that concluded between Eurojust and Ukraine, predate the Eurojust Regulation 2018/1727, which raises question as to whether they still align with current EU standards. This is essential to ensuring that data submitted to the CICED are not subject to lower standards than those required under EU law.
This concern is equally relevant to the onward transfer of such data. Eurojust is indeed authorised to facilitate the exchange of data submitted to the CICED with “competent national authorities [including those of third States] and international judicial authorities, in particular the International Criminal Court”. While such transfers to external partners are, in principle, subject to the existence of adequate safeguards – established through an adequacy decision, the conclusion of an agreement or by any other means provided under Eurojust regulation – they may also take place by way of derogation. This is currently the case with regard to the transmission of evidence from the CICED to the ICC. However, it remains unclear how these data exchanges satisfy the conditions required to fall within the scope of the derogations provided for in Article 59 of the Regulation. So far, this issue has not been specifically addressed, aside from the European Commission’s July 2025 evaluation of Eurojust, which highlighted the need to conclude an international agreement with the ICC to ensure more structured data exchange.
3.3. Lack of transparency of supervision activities
As mentioned above, the EDPS is the main external supervisor of Eurojust, responsible for ensuring its compliance with both Regulation 2018/1725 and 2018/1727. In this regard, Article 80 of the Eurojust Regulation, as amended in 2022, provides that the EDPS shall be consulted prior to the operation of the CICED and deliver an opinion within two months following notification from the Data Protection Officer. Since the CICED became operational in 2023, the EDPS has been consulted at several stages of its implementation to ensure compliance with EU data protection rules. In particular, it issued two supervisory opinions in 2023 that were not made public: the first concerning the secure storage of transmitted evidence; and the second addressing the analysis of structured data, data security, and individuals’ right to access their personal data. In addition, an audit was carried out at Eurojust’s premises in June 2024 to assess whether the processing of operational personal data within the CICED complies with EU data protection law and the relevant provisions of the Eurojust Regulation. In this context, the EDPS assessed whether its earlier recommendations had been followed, although no information on the outcome of this audit has been made publicly available.
Against this background, even after extensive research the supervisory activities relating to the various stages of the CICED’s implementation remain only partially transparent.
4. Conclusion
The CICED significantly enhances the Agency’s operational capacities and contributes to its positioning as a central information hub supporting investigations and prosecutions conducted by Member States, third States, and international jurisdictions. While it does not fundamentally alter Eurojust’s facilitative role, it marks a further step towards its emergence as a “middleman” enabling not only horizontal but also vertical interactions across actors operating within different legal frameworks.
At the same time, preliminary concerns emerge regarding the implication of this development for fundamental rights, in particular data protection. Although the CICED remains subject to the standards applicable to Eurojust since 2019 important questions persist, notably regarding the level of protection afforded to data exchange with external partners and the limited transparency of supervisory activities.
Julia Burchett is a postdoctoral researcher at the Centre for European Law of the Université Libre de Bruxelles